Download Location: http://206.51.233.130/iexplore.exe File Name: iexplore.exe File size: 54272 bytes MD5: f3d6284fee5bc18518bed6a4aba256d1 SHA1: 91ba5ec258ee697f7662ef5c0045a6b817f5c390 PEiD: MinGW GCC 3.x Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=f3d6284fee5bc18518bed6a4aba256d1 Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=CAF2263500455438D4F900D20458B100D95F8EE8 VirusTotal Result: 31/32 (96.88%) AhnLab-V3: Win-Trojan/Bushi.54272 AntiVir: TR/Spy.Agent.QD.1 Authentium: W32/Pws.AVC Avast: Win32:Trojan-gen {Other} AVG: PSW.Agent.GBD BitDefender: Trojan.Spy.Agent.QD CAT-QuickHeal: TrojanSpy.Agent.qd ClamAV: Trojan.Spy-16555 DrWeb: Trojan.KeyLogger.949 eSafe: Win32.Agent.qd eTrust-Vet: Win32/VMalum.RSW Ewido: Logger.Agent.qd F-Prot: W32/Pws.AVC F-Secure: Trojan-Spy.Win32.Agent.qd FileAdvisor: High threat detected Fortinet: W32/Dloader.FGL!tr Ikarus: Trojan-Spy.Win32.Banker.RM Kaspersky: Trojan-Spy.Win32.Agent.qd McAfee: Spy-Agent.cd NOD32v2: Win32/Spy.Agent.QD Norman: W32/Agent.BILJ Panda: Trj/Downloader.MES Prevx1: Generic.Malware Rising: Trojan.Spy.Agent.cro Sophos: Troj/Keylog-JR Sunbelt: Trojan.Win32.VB.aft Symantec: Infostealer TheHacker: Trojan/Spy.Agent.qd VBA32: Trojan.Win32.Spy.Agent.QD VirusBuster: Trojan.DL.Agent.FXM Webwasher-Gateway: Trojan.Spy.Agent.QD.1 Analysis Report: http://malwareinfo.freeforums.org/206-51-233-130-iexplore-exe-t12.html File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0006 Time/Date stamp: 459D628F Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 030F Magic: 010B Linker version (major): 02 Linker version (minor): 38 Size of code: 00004E00 Size of initialized data: 0000D000 Size of uninitialized data: 0005BC00 Address of entry point: 00001240 Base of code: 00001000 Base of data: 00006000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0001 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0006C000 Size of headers: 00000400 Checksum: 000102B9 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00200000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00004C24 00001000 00004E00 00000400 60000060 .data 00000110 00006000 00000200 00005200 C0000040 .rdata 00000D20 00007000 00000E00 00005400 40000040 .bss 0005BA80 00008000 00000000 00000000 C0000080 .idata 00000A98 00064000 00000C00 00006200 C0000040 .rsrc 00006490 00065000 00006600 00006E00 C0000040 Import table (libraries: 7) ADVAPI32.DLL (imports: 6) GetUserNameA RegCloseKey RegCreateKeyExA RegOpenKeyExA RegQueryValueExA RegSetValueExA KERNEL32.dll (imports: 18) AddAtomA CreateProcessA CreateThread ExitProcess FindAtomA GetAtomNameA GetComputerNameA GetLastError GetModuleFileNameA GetModuleHandleA GetSystemInfo GetTickCount GetVersionExA GetWindowsDirectoryA GlobalMemoryStatus MoveFileExA SetUnhandledExceptionFilter Sleep msvcrt.dll (imports: 2) _mkdir _sleep msvcrt.dll (imports: 40) __getmainargs __p__environ __p__fmode __set_app_type _cexit _iob _onexit _setmode abort atexit atoi ctime exit fclose fflush fopen fprintf free fwrite getchar malloc memcpy memset printf rand signal sprintf srand strcat strchr strcmp strcpy strlen strncat strncmp strncpy strstr system time tolower USER32.dll (imports: 5) CallNextHookEx GetForegroundWindow GetMessageA GetWindowTextA SetWindowsHookExA WININET.DLL (imports: 6) HttpOpenRequestA HttpSendRequestA InternetCloseHandle InternetConnectA InternetOpenA InternetReadFile WS2_32.DLL (imports: 12) WSACleanup WSAIoctl WSAStartup bind gethostbyname gethostname htons inet_ntoa ntohs recv sendto socket Loaded DLL: Loaded DLLs c:\temp\f3d6284fee5bc18518bed6a4aba256d1.exe C:\WINDOWS\System32\ntdll.dll C:\WINDOWS\system32\kernel32.dll C:\WINDOWS\system32\ADVAPI32.DLL C:\WINDOWS\system32\RPCRT4.dll C:\WINDOWS\system32\msvcrt.dll C:\WINDOWS\system32\USER32.dll C:\WINDOWS\system32\GDI32.dll C:\WINDOWS\system32\WININET.DLL C:\WINDOWS\system32\CRYPT32.dll C:\WINDOWS\system32\MSASN1.dll C:\WINDOWS\system32\OLEAUT32.dll C:\WINDOWS\system32\OLE32.DLL C:\WINDOWS\system32\SHLWAPI.dll C:\WINDOWS\System32\WS2_32.DLL C:\WINDOWS\System32\WS2HELP.dll C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\ C:\WINDOWS\system32\comctl32.dll C:\WINDOWS\System32\wsock32.dll C:\WINDOWS\System32\pstorec.dll C:\WINDOWS\System32\ATL.DLL C:\WINDOWS\System32\Wship6.dll C:\WINDOWS\System32\iphlpapi.dll C:\WINDOWS\System32\Secur32.dll File System Activity: Create File: c:\windows\iexplore\iexplore.exe Move File: c:\temp\f3d6284fee5bc18518bed6a4aba256d1.exe to c:\windows\iexplore\iexplore.exe Registry Values Created: HKLM\SOFTWARE\Internet Explorer HKLM\SOFTWARE\Internet Explorer\id Registry Changes: HKEY_LOCAL_MACHINE\SOFTWARE\Internet Explorer\id "IeID" = 98JPUQP0KV8FFBNI8L9UDWRMD1YTSRL7WYJCKSYWPOPDNXX35ICWNIJIJ3VM2RLXMWHMDV2PHDVCDK5B8ZBCKYFY8VCHP3KVXOL HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "WindowsUpdate renew" = c:\windows\iexplore\iexplore.exe -v 000030 -s http://windowsupdate.microsoft.com /renew Registry Reads: HKEY_LOCAL_MACHINE\SOFTWARE\Internet Explorer\id "IeID" System Info: Get Windows Directory Get Computer Name User Management: Get User Name BinText revealed the url: xxx.samedi.org Whois samedi.org: Domain ID:D103251679-LROR Domain Name:SAMEDI.ORG Created On:28-Nov-2003 01:16:28 UTC Last Updated On:09-Nov-2006 14:38:36 UTC Expiration Date:28-Nov-2015 01:16:28 UTC Sponsoring Registrar:Tucows Inc. (R11-LROR) Status:CLIENT TRANSFER PROHIBITED Status:CLIENT UPDATE PROHIBITED Registrant ID:tubcUuQpC1844bRe Registrant Name:Zhong Chengpu Registrant Organization:Zhong Chengpu Registrant Street1:20/F Citicorp Centre 18 Whitfield Road Causeway Bay Registrant Street2: Registrant Street3: Registrant City:Hong Kong Registrant State/Province:Hong Kong Registrant Postal Code:845080 Registrant Country:HK Registrant Phone:+8.522893 Registrant Phone Ext.:8200 Registrant FAX:+8.522983 Registrant FAX Ext.:5245 Registrant **************@samedi.org Admin ID:tuz67PZ5NwQhbwKe Admin Name:Zhong Chengpu Admin Organization:Zhong Chengpu Admin Street1:20/F Citicorp Centre 18 Whitfield Road Causeway Bay Admin Street2: Admin Street3: Admin City:Hong Kong Admin State/Province:Hong Kong Admin Postal Code:845080 Admin Country:HK Admin Phone:+8.522893 Admin Phone Ext.:8200 Admin FAX:+8.522983 Admin FAX Ext.:5245 Admin **************@samedi.org Tech ID:tugMzKOz0g9lKrp4 Tech Name:Zhong Chengpu Tech Organization:Zhong Chengpu Tech Street1:20/F Citicorp Centre 18 Whitfield Road Causeway Bay Tech Street2: Tech Street3: Tech City:Hong Kong Tech State/Province:Hong Kong Tech Postal Code:845080 Tech Country:HK Tech Phone:+8.522893 Tech Phone Ext.:8200 Tech FAX:+8.522983 Tech FAX Ext.:5245 Tech **************@samedi.org Name Server:DNS1.SAMEDI.ORG Name Server:DNS2.SAMEDI.ORG